Forum Discussion

Reddy1's avatar
Reddy1
Icon for Altostratus rankAltostratus
Nov 27, 2019

Mutual auth using client certificate

Hi ,

 

I have a quick question about the mutual auth using the client certificate on the F5. The existing set up is to validate the incoming certificate from the client then allow the access to the server pool . The application team also would like to perform the client cert authentication . My question is would the client cert still exist when it hits the server or it gets stripped off after the F5 validates.

 

Is there an irule where in we can attest incoming client cert to the server-ssl profile when its sent to the server pool. The server ssl profile will be pre-configured, however the cert will be dynamic.

 

Thanks,

Reddy

application delivery
BIG-IP
iRules

1 Reply

Sort By
  • Yoann_Le_Corvi1's avatar
    Yoann_Le_Corvi1
    Icon for Cumulonimbus rankCumulonimbus
    Nov 27, 2019

    Hi Reddy,

     

    AFAIK you can't just modify the serverssl profile on the fly, and anyway, you will not have the Client Private Key in order to impersonnate him for mutual auth. If the backen application really requires the certificate information, 2 option in my options :

    1 - If the backend requires SSL Mutual Auth (at the SSL connexion Level), you can use Client certificate constrained delegation

    2 - If the backend can read HTTP Headers and doesn't require TLS Mutual Auth at connexion level, you can potentially add the Client certificate in an HTTP header as described here : https://devcentral.f5.com/s/question/0D51T00006i7UPA/inserting-ssl-client-certificate-into-the-header-of-the-http-session. But ensure that only the BigIP injects that header (delete header with the same name coming from Internet) otherwise you may cause a security issue :)

     

    Hope this gives you pointers...

     

    Yoann